You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
pkcs11-tool should not crash. It should create an error message because it can not sign data which is greater then 261 bytes in length.
Actual behaviour
pkcs11-tool crashes because of a buffer overflow in card-sm-hsm.c. The function lacks a check of the datalen variable. Under certain conditions the datalen exceeds the SC_MAX_APDU_BUFFER_SIZE which causes memcpy to exceed limit of the buffer.
Steps to reproduce
create an EC key pair on a SmartCard-HSM by issuing the command: pkcs11-tool --login --pin 123456 --keypairgen --key-type EC:secp256k1 --id 1 --label ECkey
try to sign e.g. the file version.m4 (468 bytes) from the top level of the OpenSC tree by issuing the command: pkcs11-tool --pin 123456 --sign --input version.m4 --id 1
pkcs11-tool then crashes emitting the log output below.
Logs
Using slot 0 with a present token (0x0)
Using signature algorithm ECDSA
*** buffer overflow detected ***: pkcs11-tool terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7f53225f838f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f532268fc9c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7f532268eb60]
/data/coins/OpenSC/target/lib/libopensc.so.4(+0xc842f)[0x7f5322e3442f]
/data/coins/OpenSC/target/lib/libopensc.so.4(sc_compute_signature+0x75)[0x7f5322d90465]
/data/coins/OpenSC/target/lib/libopensc.so.4(+0x4245e)[0x7f5322dae45e]
/data/coins/OpenSC/target/lib/libopensc.so.4(sc_pkcs15_compute_signature+0x4ff)[0x7f5322daf3bf]
/data/coins/OpenSC/target/lib/opensc-pkcs11.so(+0x176f9)[0x7f53221516f9]
/data/coins/OpenSC/target/lib/opensc-pkcs11.so(+0x104ff)[0x7f532214a4ff]
/data/coins/OpenSC/target/lib/opensc-pkcs11.so(+0x11ce9)[0x7f532214bce9]
/data/coins/OpenSC/target/lib/opensc-pkcs11.so(C_Sign+0x13c)[0x7f53221470bc]
pkcs11-tool[0x408378]
pkcs11-tool[0x40576f]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f53225a6ec5]
The text was updated successfully, but these errors were encountered:
Expected behaviour
pkcs11-tool should not crash. It should create an error message because it can not sign data which is greater then 261 bytes in length.
Actual behaviour
pkcs11-tool crashes because of a buffer overflow in card-sm-hsm.c. The function lacks a check of the datalen variable. Under certain conditions the datalen exceeds the SC_MAX_APDU_BUFFER_SIZE which causes memcpy to exceed limit of the buffer.
Steps to reproduce
pkcs11-tool --login --pin 123456 --keypairgen --key-type EC:secp256k1 --id 1 --label ECkey
pkcs11-tool --pin 123456 --sign --input version.m4 --id 1
pkcs11-tool then crashes emitting the log output below.
Logs
Using slot 0 with a present token (0x0)
Using signature algorithm ECDSA
*** buffer overflow detected ***: pkcs11-tool terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7f53225f838f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f532268fc9c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7f532268eb60]
/data/coins/OpenSC/target/lib/libopensc.so.4(+0xc842f)[0x7f5322e3442f]
/data/coins/OpenSC/target/lib/libopensc.so.4(sc_compute_signature+0x75)[0x7f5322d90465]
/data/coins/OpenSC/target/lib/libopensc.so.4(+0x4245e)[0x7f5322dae45e]
/data/coins/OpenSC/target/lib/libopensc.so.4(sc_pkcs15_compute_signature+0x4ff)[0x7f5322daf3bf]
/data/coins/OpenSC/target/lib/opensc-pkcs11.so(+0x176f9)[0x7f53221516f9]
/data/coins/OpenSC/target/lib/opensc-pkcs11.so(+0x104ff)[0x7f532214a4ff]
/data/coins/OpenSC/target/lib/opensc-pkcs11.so(+0x11ce9)[0x7f532214bce9]
/data/coins/OpenSC/target/lib/opensc-pkcs11.so(C_Sign+0x13c)[0x7f53221470bc]
pkcs11-tool[0x408378]
pkcs11-tool[0x40576f]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f53225a6ec5]
The text was updated successfully, but these errors were encountered: